kind: MasterConfig
apiVersion: v1
admissionConfig:
  pluginConfig:{{ openshift.master.admission_plugin_config | default(None) | lib_utils_to_padded_yaml(level=2) }}
aggregatorConfig:
  proxyClientInfo:
    certFile: aggregator-front-proxy.crt
    keyFile: aggregator-front-proxy.key
authConfig:
  requestHeader:
    clientCA: front-proxy-ca.crt
    clientCommonNames:
    - aggregator-front-proxy
    usernameHeaders:
    - X-Remote-User
    groupHeaders:
    - X-Remote-Group
    extraHeaderPrefixes:
    - X-Remote-Extra-
apiLevels:
- v1
{% if openshift.master.audit_config is defined %}
auditConfig:{{ openshift.master.audit_config | lib_utils_to_padded_yaml(level=1) }}
{% endif %}
controllerConfig:
  election:
    lockName: openshift-master-controllers
  serviceServingCert:
    signer:
      certFile: service-signer.crt
      keyFile: service-signer.key
controllers: '*'
corsAllowedOrigins:
  # anchor with start (\A) and end (\z) of the string, make the check case insensitive ((?i)) and escape hostname
{% for origin in ['127.0.0.1', 'localhost', openshift.common.ip, openshift.common.public_ip] | union(openshift.common.all_hostnames) | unique %}
  - (?i)//{{ origin | regex_escape() }}(:|\z)
{% endfor %}
{% for custom_origin in osm_custom_cors_origins | default("") %}
  - (?i)//{{ custom_origin | regex_escape() }}(:|\z)
{% endfor %}
{% if 'disabled_features' in openshift.master %}
disabledFeatures: {{ openshift.master.disabled_features | to_json }}
{% endif %}
{% if openshift_master_embedded_dns | bool %}
dnsConfig:
  bindAddress: {{ openshift.master.bind_addr }}:{{ openshift_master_dns_port }}
  bindNetwork: tcp4
{% endif %}
etcdClientInfo:
  ca: master.etcd-ca.crt
  certFile: master.etcd-client.crt
  keyFile: master.etcd-client.key
  urls:
{% for etcd_url in openshift_master_etcd_urls %}
    - {{ etcd_url }}
{% endfor %}
etcdStorageConfig:
  kubernetesStoragePrefix: kubernetes.io
  kubernetesStorageVersion: v1
  openShiftStoragePrefix: openshift.io
  openShiftStorageVersion: v1
imageConfig:
  format: {{ openshift_imageconfig_format }}
  latest: {{ openshift_master_image_config_latest }}
imagePolicyConfig:{{ openshift.master.image_policy_config | default({}) | combine({"internalRegistryHostname":"docker-registry.default.svc:5000"}) | lib_utils_to_padded_yaml(level=1) }}
kubeletClientInfo:
{# TODO: allow user specified kubelet port #}
  ca: ca-bundle.crt
  certFile: master.kubelet-client.crt
  keyFile: master.kubelet-client.key
  port: 10250
{% if openshift_master_embedded_kube | bool %}
kubernetesMasterConfig:
  apiServerArguments:
    {{ openshift.master.api_server_args | default(None) | lib_utils_to_padded_yaml( level=2 ) }}
    storage-backend:
    - etcd3
    storage-media-type:
    - application/vnd.kubernetes.protobuf
{% if openshift_master_use_persistentlocalvolumes | bool %}
    feature-gates:
    - PersistentLocalVolumes=true
    - VolumeScheduling=true
{% endif %}
  controllerArguments: {{ openshift.master.controller_args | default(None) | lib_utils_to_padded_yaml( level=2 ) }}
    pv-recycler-pod-template-filepath-nfs:
    - "/etc/origin/master/recycler_pod.yaml"
    pv-recycler-pod-template-filepath-hostpath:
    - "/etc/origin/master/recycler_pod.yaml"
{% if openshift_is_atomic | bool %}
    flex-volume-plugin-dir:
    - "/etc/origin/kubelet-plugins/volume/exec"
{% endif %}
{% if openshift_master_use_persistentlocalvolumes | bool %}
    feature-gates:
    - PersistentLocalVolumes=true
    - VolumeScheduling=true
{% endif %}
  masterCount: {{ openshift_master_count | default(groups.oo_masters | length) }}
  masterIP: {{ openshift.common.ip }}
  podEvictionTimeout: {{ openshift_master_pod_eviction_timeout }}
  proxyClientInfo:
    certFile: master.proxy-client.crt
    keyFile: master.proxy-client.key
  schedulerArguments: {{ openshift_master_scheduler_args | default(None) | lib_utils_to_padded_yaml( level=3 ) }}
  schedulerConfigFile: {{ openshift_master_scheduler_conf }}
  servicesNodePortRange: "{{ openshift_node_port_range | default("") }}"
  servicesSubnet: {{ openshift.common.portal_net }}
  staticNodeNames: {{ openshift_node_ips | default([], true) }}
{% endif %}
masterClients:
{# TODO: allow user to set externalKubernetesKubeConfig #}
  externalKubernetesClientConnectionOverrides:
    acceptContentTypes: application/vnd.kubernetes.protobuf,application/json
    contentType: application/vnd.kubernetes.protobuf
    burst: {{ openshift_master_external_ratelimit_burst | default(400) }}
    qps: {{ openshift_master_external_ratelimit_qps | default(200) }}
  externalKubernetesKubeConfig: ""
  openshiftLoopbackClientConnectionOverrides:
    acceptContentTypes: application/vnd.kubernetes.protobuf,application/json
    contentType: application/vnd.kubernetes.protobuf
    burst: {{ openshift_master_loopback_ratelimit_burst | default(600) }}
    qps: {{ openshift_master_loopback_ratelimit_qps | default(300) }}
  openshiftLoopbackKubeConfig: openshift-master.kubeconfig
masterPublicURL: {{ openshift.master.public_api_url }}
networkConfig:
  clusterNetworks:
  - cidr: {{ openshift_cluster_network_cidr }}
    hostSubnetLength: {{ openshift_host_subnet_length }}
{% if r_openshift_master_use_openshift_sdn or r_openshift_master_use_nuage or r_openshift_master_use_contiv or r_openshift_master_use_kuryr or r_openshift_master_sdn_network_plugin_name == 'cni' %}
  networkPluginName: {{ r_openshift_master_sdn_network_plugin_name_default }}
{% endif %}
# serviceNetworkCIDR must match kubernetesMasterConfig.servicesSubnet
  serviceNetworkCIDR: {{ openshift.common.portal_net }}
  externalIPNetworkCIDRs: {{ openshift_master_external_ip_network_cidrs | default(["0.0.0.0/0"]) | lib_utils_to_padded_yaml(1,2) }}
{% if openshift_master_ingress_ip_network_cidr is defined %}
  ingressIPNetworkCIDR: {{ openshift_master_ingress_ip_network_cidr }}
{% endif %}
oauthConfig:
{% if openshift_master_oauth_always_show_provider_selection is defined %}
  alwaysShowProviderSelection: {{ openshift_master_oauth_always_show_provider_selection }}
{% endif %}
{% if l_openshift_master_oauth_templates %}
  templates:{{ l_openshift_master_oauth_templates | lib_utils_to_padded_yaml(level=2) }}
{% endif %}
  assetPublicURL: {{ openshift.master.public_console_url }}/
  grantConfig:
    method: {{ openshift_master_oauth_grant_method }}
  identityProviders:
{% for line in translated_identity_providers.splitlines() %}
  {{ line }}
{% endfor %}
  masterCA: ca-bundle.crt
  masterPublicURL: {{ openshift.master.public_api_url }}
  masterURL: {{ openshift.master.api_url }}
  sessionConfig:
    sessionMaxAgeSeconds: {{ openshift.master.session_max_seconds }}
    sessionName: {{ openshift.master.session_name }}
    sessionSecretsFile: {{ openshift_master_session_secrets_file }}
  tokenConfig:
    accessTokenMaxAgeSeconds: {{ openshift_master_access_token_max_seconds }}
    authorizeTokenMaxAgeSeconds: {{ openshift_master_auth_token_max_seconds }}
pauseControllers: false
policyConfig:
  bootstrapPolicyFile: {{ openshift_master_policy }}
  openshiftInfrastructureNamespace: openshift-infra
  openshiftSharedResourcesNamespace: openshift
projectConfig:
  defaultNodeSelector: "{{ hostvars[groups.oo_first_master.0].l_osm_default_node_selector }}"
  projectRequestMessage: "{{ osm_project_request_message }}"
  projectRequestTemplate: "{{ osm_project_request_template }}"
  securityAllocator:
    mcsAllocatorRange: "{{ osm_mcs_allocator_range }}"
    mcsLabelsPerProject: {{ osm_mcs_labels_per_project }}
    uidAllocatorRange: "{{ osm_uid_allocator_range }}"
routingConfig:
  subdomain:  "{{ openshift_master_default_subdomain }}"
serviceAccountConfig:
  limitSecretReferences: {{ openshift_master_saconfig_limitsecretreferences | default(false) }}
  managedNames:
  - default
  - builder
  - deployer
  masterCA: ca-bundle.crt
  privateKeyFile: serviceaccounts.private.key
  publicKeyFiles:
  - serviceaccounts.public.key
servingInfo:
  bindAddress: {{ openshift.master.bind_addr }}:{{ openshift_master_api_port }}
  bindNetwork: tcp4
  certFile: master.server.crt
  clientCA: ca.crt
  keyFile: master.server.key
  maxRequestsInFlight: {{ openshift_master_max_requests_inflight }}
  requestTimeoutSeconds: 3600
{% if openshift.master.named_certificates | default([]) | length > 0 %}
  namedCertificates:
{% for named_certificate in openshift.master.named_certificates %}
  - certFile: {{ named_certificate['certfile'] }}
    keyFile: {{ named_certificate['keyfile'] }}
    names:
{% for name in named_certificate['names'] %}
    - "{{ name }}"
{% endfor %}
{% endfor %}
{% endif %}
{% if openshift_master_min_tls_version is defined %}
  minTLSVersion: {{ openshift_master_min_tls_version }}
{% endif %}
{% if openshift_master_cipher_suites is defined %}
  cipherSuites:
{% for cipher_suite in openshift_master_cipher_suites %}
  - {{ cipher_suite }}
{% endfor %}
{% endif %}
volumeConfig:
  dynamicProvisioningEnabled: {{ openshift_master_dynamic_provisioning_enabled }}
